Splunk Search

How to search span for 1 day and 2 hours ?

karthi2809
Communicator

This is my query and I have some challenges in the log. The thing is my daily job will start at 11 PM. If the job runs successfully it will complete before 11:30. So I set status as success. But in case of job time out the job time out at next day at 1:30 AM. Again, the job started on the next day 11:PM and ran successfully, but now I have failure and success in same day. How can I check the event and set status as a failure?

index=xx* app_name="xxx" OR cf_app_name="yyy*" OR app_name="ccc"
|span_time span=1d |eval dayweek=strftime(_time,"%H")|convert timeformat="%m-%d-%y" ctime(_time) as c_time|eval Job = case(like(msg, "%first%"), "first Job", like(msg, "%second%"), "second Job", like(msg, "%third%"), "third job",like(msg, "%fourth%"), "fourth job")| stats count(eval(like(msg, "%All feed is completed%") OR like(msg, "%Success:%") OR like(msg, "%Success: %") OR like(msg, "%Finished success%"))) as Successcount count(eval(like(msg, "%Fatal Error: %") OR like(msg, "%Fatal Error:%") OR like(msg, "%Job raised exception%") AND like(msg, "% job error%"))) as failurecount by Job c_time dayweek|eval status=case((Job="fourth job") AND (dayweek=="Saturday" OR dayweek=="Sunday"),"NA",Successcount>0,"Success",failurecount>0,"Failure")| xyseries Job c_time status

 

Labels (2)
Tags (2)
0 Karma

to4kawa
SplunkTrust
SplunkTrust

try span=26h

0 Karma

karthi2809
Communicator

yes i tried span=26 hours.But when i search for last 30 days.extra 2 hours taking time in days .

eg:

07-03-20, 07-04-20,07-05-20 ,07-06-20,07-07-20 ,07-08-20,07-09-20 ,07-10-20,07-11-20 ,07-12-20,07-13-20 ,07-14-20,07-15-20 ,07-16-20,07-17-20 ,07-18-20,07-19-20 ,07-20-20,07-21-20 ,07-22-20

 

so in the result i am not getting for day   07-14-20

0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

this is what happened after 12 days as span is starting day13 -1 and ending day13+1. As you are using span those never can overlap each others.

r. Ismo

0 Karma

karthi2809
Communicator

can you explain briefly.if any sample it will be great.

0 Karma

soutamo
SplunkTrust
SplunkTrust

It goes something like this.

Span #Start timeEnd time
1Day 1 00:00:00

Day 2 01:59:59

2Day 2 02:00:00Day 3 03:59:59
...........
11Day 11 20:00:00Day 12 21:59:59
12Day 12 22:00:00Day 13 23:59:59
13Day 13 24:00:00Day 15 01:59:59
14Day 15 02:00:00Day 16 03:59:59

 

As you could see after some count of spans there is always situation that it will skip one day. This happend all time when span > 1d and if span < 1d then there will be (at least) two entries for one day.

r. Ismo

karthi2809
Communicator

Thank you

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!